- Added internal htmlentities function with array support and ENT_QUOTES.

Marius Burkard · Marius Burkard · commit 5902e62cfddf · 2017-12-29T12:10:30.000+01:00
- Fixed #4893 Stored XSS issue in email name field
diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php
@@ -454,6 +454,25 @@ public function generate_ssh_key($client_id, $username = ''){
 			$app->log("Failed to create SSH keypair for ".$username, LOGLEVEL_WARN);
 		}
 	}
+	
+	public function htmlentities($value) {
+		global $conf;
+
+		if(is_array($value)) {
+			$out = array();
+			foreach($values as $key => $val) {
+				if(is_array($val)) {
+					$out[$key] = $this->htmlentities($val);
+				} else {
+					$out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
+				}
+			}
+		} else {
+			$out = htmlentities($value, ENT_QUOTES, $conf["html_content_encoding"]);
+		}
+		
+		return $out;
+	}
 }
 
 ?>
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
@@ -179,6 +179,7 @@ public function getSearchSQL($sql_where = '')
 								&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]
 								&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')
 								? ' SELECTED' : '';
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'$selected>$v</option>\r\n";
 						}
 					}
@@ -610,17 +611,8 @@ function lng($msg) {
 	}
 
 	function escapeArrayValues($search_values) {
-		global $conf;
-
-		$out = array();
-		if(is_array($search_values)) {
-			foreach($search_values as $key => $val) {
-				$out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
-			}
-		}
-
-		return $out;
-
+		global $app;
+		return $app->functions->htmlentities($search_values);
 	}
 
 }
diff --git a/interface/lib/classes/quota_lib.inc.php b/interface/lib/classes/quota_lib.inc.php
@@ -243,7 +243,8 @@ public function get_mailquota_data($clientid = null, $readable = true) {
 		if(is_array($emails) && !empty($emails)){
 			for($i=0;$i<sizeof($emails);$i++){
 				$email = $emails[$i]['email'];
-		
+				
+				$emails[$i]['name'] = $app->functions->htmlentities($emails[$i]['name']);
 				$emails[$i]['used'] = isset($monitor_data[$email]['used']) ? $monitor_data[$email]['used'] : array(1 => 0);
 		
 				if (!is_numeric($emails[$i]['used'])) $emails[$i]['used']=$emails[$i]['used'][1];
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
@@ -475,6 +475,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 								$selected = ($k == $val)?' SELECTED':'';
 								if(isset($this->wordbook[$v]))
 									$v = $this->wordbook[$v];
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
 						}
@@ -494,7 +495,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 								foreach($vals as $tvl) {
 									if(trim($tvl) == trim($k)) $selected = ' SELECTED';
 								}
-
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>$v</option>\r\n";
 							}
 						}
@@ -577,7 +578,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 					
 					default:
 						if(isset($record[$key])) {
-							$new_record[$key] = htmlspecialchars($record[$key]);
+							$new_record[$key] = $app->functions->htmlentities($record[$key]);
 						} else {
 							$new_record[$key] = '';
 						}
@@ -608,7 +609,8 @@ function getHTML($record, $tab, $action = 'NEW') {
 						$out = '';
 						foreach($field['value'] as $k => $v) {
 							$selected = ($k == $field["default"])?' SELECTED':'';
-							$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
+							$v = $app->functions->htmlentities($this->lng($v));
+							$out .= "<option value='$k'$selected>".$v."</option>\r\n";
 						}
 					}
 					if(isset($out)) $new_record[$key] = $out;
@@ -622,7 +624,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 						// HTML schreiben
 						$out = '';
 						foreach($field['value'] as $k => $v) {
-
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'>$v</option>\r\n";
 						}
 					}
@@ -693,7 +695,7 @@ function getHTML($record, $tab, $action = 'NEW') {
 					break;
 
 				default:
-					$new_record[$key] = htmlspecialchars($field['default']);
+					$new_record[$key] = $app->functions->htmlentities($field['default']);
 				}
 			}
 
@@ -911,6 +913,12 @@ function filterField($field_name, $field_value, $filters, $filter_event) {
 				case 'NOWHITESPACE':
 					$returnval = preg_replace('/\s+/', '', $returnval);
 					break;
+				case 'STRIPTAGS':
+					$returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+					break;
+				case 'STRIPNL':
+					$returnval = str_replace(array("\n","\r"),'', $returnval);
+					break;
 				default:
 					$this->errorMessage .= "Unknown Filter: ".$filter['type'];
 					break;
diff --git a/interface/web/mail/form/mail_user.tform.php b/interface/web/mail/form/mail_user.tform.php
@@ -144,6 +144,12 @@
 		'name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,7 @@ public function getSearchSQL($sql_where = '')`
`179`	`179`	`&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]`
`180`	`180`	`&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')`
`181`	`181`	`? ' SELECTED' : '';`
	`182`	`+ $v = $app->functions->htmlentities($v);`
`182`	`183`	`$out .= "<option value='$k'$selected>$v</option>\r\n";`
`183`	`184`	`}`
`184`	`185`	`}`
`@@ -610,17 +611,8 @@ function lng($msg) {`
`610`	`611`	`}`
`611`	`612`
`612`	`613`	`function escapeArrayValues($search_values) {`
`613`		`- global $conf;`
`614`		`-`
`615`		`- $out = array();`
`616`		`- if(is_array($search_values)) {`
`617`		`- foreach($search_values as $key => $val) {`
`618`		`- $out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);`
`619`		`- }`
`620`		`- }`
`621`		`-`
`622`		`- return $out;`
`623`		`-`
	`614`	`+ global $app;`
	`615`	`+ return $app->functions->htmlentities($search_values);`
`624`	`616`	`}`
`625`	`617`
`626`	`618`	`}`
Original file line number	Diff line number	Diff line change
`@@ -475,6 +475,7 @@ function getHTML($record, $tab, $action = 'NEW') {`
`475`	`475`	`$selected = ($k == $val)?' SELECTED':'';`
`476`	`476`	`if(isset($this->wordbook[$v]))`
`477`	`477`	`$v = $this->wordbook[$v];`
	`478`	`+ $v = $app->functions->htmlentities($v);`
`478`	`479`	`$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";`
`479`	`480`	`}`
`480`	`481`	`}`
`@@ -494,7 +495,7 @@ function getHTML($record, $tab, $action = 'NEW') {`
`494`	`495`	`foreach($vals as $tvl) {`
`495`	`496`	`if(trim($tvl) == trim($k)) $selected = ' SELECTED';`
`496`	`497`	`}`
`497`		`-`
	`498`	`+ $v = $app->functions->htmlentities($v);`
`498`	`499`	`$out .= "<option value='$k'$selected>$v</option>\r\n";`
`499`	`500`	`}`
`500`	`501`	`}`
`@@ -577,7 +578,7 @@ function getHTML($record, $tab, $action = 'NEW') {`
`577`	`578`
`578`	`579`	`default:`
`579`	`580`	`if(isset($record[$key])) {`
`580`		`- $new_record[$key] = htmlspecialchars($record[$key]);`
	`581`	`+ $new_record[$key] = $app->functions->htmlentities($record[$key]);`
`581`	`582`	`} else {`
`582`	`583`	`$new_record[$key] = '';`
`583`	`584`	`}`
`@@ -608,7 +609,8 @@ function getHTML($record, $tab, $action = 'NEW') {`
`608`	`609`	`$out = '';`
`609`	`610`	`foreach($field['value'] as $k => $v) {`
`610`	`611`	`$selected = ($k == $field["default"])?' SELECTED':'';`
`611`		`- $out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";`
	`612`	`+ $v = $app->functions->htmlentities($this->lng($v));`
	`613`	`+ $out .= "<option value='$k'$selected>".$v."</option>\r\n";`
`612`	`614`	`}`
`613`	`615`	`}`
`614`	`616`	`if(isset($out)) $new_record[$key] = $out;`
`@@ -622,7 +624,7 @@ function getHTML($record, $tab, $action = 'NEW') {`
`622`	`624`	`// HTML schreiben`
`623`	`625`	`$out = '';`
`624`	`626`	`foreach($field['value'] as $k => $v) {`
`625`		`-`
	`627`	`+ $v = $app->functions->htmlentities($v);`
`626`	`628`	`$out .= "<option value='$k'>$v</option>\r\n";`
`627`	`629`	`}`
`628`	`630`	`}`
`@@ -693,7 +695,7 @@ function getHTML($record, $tab, $action = 'NEW') {`
`693`	`695`	`break;`
`694`	`696`
`695`	`697`	`default:`
`696`		`- $new_record[$key] = htmlspecialchars($field['default']);`
	`698`	`+ $new_record[$key] = $app->functions->htmlentities($field['default']);`
`697`	`699`	`}`
`698`	`700`	`}`
`699`	`701`
`@@ -911,6 +913,12 @@ function filterField($field_name, $field_value, $filters, $filter_event) {`
`911`	`913`	`case 'NOWHITESPACE':`
`912`	`914`	`$returnval = preg_replace('/\s+/', '', $returnval);`
`913`	`915`	`break;`
	`916`	`+ case 'STRIPTAGS':`
	`917`	`+ $returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));`
	`918`	`+ break;`
	`919`	`+ case 'STRIPNL':`
	`920`	`+ $returnval = str_replace(array("\n","\r"),'', $returnval);`
	`921`	`+ break;`
`914`	`922`	`default:`
`915`	`923`	`$this->errorMessage .= "Unknown Filter: ".$filter['type'];`
`916`	`924`	`break;`